Bug bounties: Which companies offer researchers cash?

A list of hundreds of companies and what they offer in return for vulnerability reports has been released.

Bug bounties are being offered more frequently by vendors to stamp out security issues before they become widespread -- but where should researchers go to find the best return for their time and skills?

Once, before cybersecurity skills became so high in demand thanks to frequent, high-profile security breaches such as those suffered in recent times by Target, Sony and Anthem, researchers were given credit for disclosing software vulnerabilities to vendors, but often little else.

However, times have changed -- and more and more often, companies are offering financial rewards or gifts for white hat hackers who choose to disclose bugs and vulnerabilities directly to vendors, rather than selling them on through the black market for a profit.

The average price of a vulnerability in the underground varies, but zero-day exploits often reach thousands of dollars within the five-figure range.

Despite the high price some bugs and software flaws can fetch in the black market, many researchers retain their white hats. But where should they go to earn some extra cash for their skills?

See also: Bug bounties: 'Buy what you want'

A go-to bug bounty list has recently released by Vulnerability Lab, giving white hats the chance to research and pick the bug bounties most appropriate for their efforts.

The list includes over 420 bug bounty programs currently on offer, as well as how many silent or behind-the-scenes programs exist -- and how many will grant security researchers a reward for their efforts.

For example, Apple's bug bounty program does not offer financial rewards or gifts, but currently only acknowledges the research done -- which, in some cases, may be enough for a researcher's resume. However, companies including AT&T, Avast, Dell Secureworks, Microsoft and Facebook's white hat program offer cash in return for vulnerability reports.

As noted by HackerOne CPO and former Microsoft security expert Katie Moussouris, a bug bounty is not a cure-all system to hack-proof software, but it is an important part of the product development lifecycle -- and one more vendors should consider. By enticing more eyeballs to scrutinize code before it is released into the public domain, vendors are less likely to end up playing "whack-a-bug," or dealing with severe security flaws which could place customers at risk.

If you're interested in viewing the list and potentially earning some extra income through lucrative bug bounties, click here.

Read on: Top picks

Show Comments